Issue with Microsoft Intune Company Portal for Linux visibility in Enterprise Applications

Question

Issue with Microsoft Intune Company Portal for Linux visibility in Enterprise Applications

Niederauer,Till (IT INF) BIG-DE-I 25

I'm experiencing an issue where the Microsoft Intune Company Portal for Linux application is visible in one Azure tenant but not in another, despite seeing it in the sign-in logs of the second tenant.

What I've observed:

In Tenant A: The app appears normally in Enterprise applications with creation date 2/19/2025
In Tenant B: The app doesn't appear when searched, but I can see authentication attempts in the sign-in logs

What I've tried:

Searching specifically for "Microsoft Intune Company Portal for Linux" in both tenants
Verifying the app exists through sign-in logs in Tenant B

My goal:

I need to assign custom security attributes to this application, but I can't do this without accessing it through Enterprise applications. It's for conditional access

Questions:

How can I make this service principal visible in Tenant B?
Is there a way to register/expose this built-in enterprise app if it's not appearing?
Are there PowerShell commands or other methods to assign security attributes to an application that isn't visible in the portal?

Any assistance would be greatly appreciated! App

NonApp

Niederauer,Till (IT INF) BIG-DE-I 25 Reputation points

2025-03-07T23:25:26.0633333+00:00
Hey,

thanks again but I now got an additional problem. I assigned a security attribute for Conditional access but I am still getting blocked by CA. Looks like it is not recognized. However I tried to exclude that app from CA but in the GUI I can't find/select it. When I try to add directly via graph API I get this response:

Any ideas how I can exclude this app from default block rule?

{ "error": { "code": "BadRequest", "message": "1034: Policy contains invalid applications: {\"2c788fb4-38d5-4c20-9064-d0e62578ffb2\":\"ServicePrincipalNotFound\"}", "innerError": { "date": "2025-03-07T23:24:30", "request-id": "1bdd22fc-xxxx-xxxx-xxxx-76e772e94053", "client-request-id": "xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }
Sanoop M 4,310 Reputation points Moderator

2025-03-08T00:38:48.7133333+00:00

Hello @Niederauer,Till (IT INF) BIG-DE-I,

Thank you for your response.

I understand that even after creating a Service Principal for the application Microsoft Intune Company Portal for Linux in your Tenant B, when you are trying to exclude this application Microsoft Intune Company Portal for Linux from the CA policy, you are unable to find the application.

Please note that since Azure AD PowerShell is currently in deprecation stage, so we would recommend you to use Microsoft Graph PowerShell instead of Azure AD PowerShell. Please follow the below steps.

1.Open PowerShell as an Administrator.

2.Install Microsoft Graph Module. Run the following command to install the Microsoft.Graph module.

Install-Module Microsoft.Graph

3.Import Microsoft Graph Module by running the below PowerShell command.

Import-Module Microsoft.Graph

4.Authenticate with Microsoft Graph

You need to authenticate your session with the appropriate permissions. The command below will prompt you to log in and grant the necessary permissions (you’ll need Directory.Read.All and AuditLog.Read.All scopes):

Connect-MgGraph -Scopes Directory.Read.All,AuditLog.Read.All

A sign-in window will appear where you need to enter your Microsoft Entra ID credentials. Please ensure you have the required permissions to access this data.

Please note that if you run the below Microsoft Graph PowerShell cmdlet by opening PowerShell as an Administrator, then you can see the Microsoft Intune Company Portal for Linux application under CA policy exclusion list.

Update-MgServicePrincipal -ObjectId "ab2090ac-f980-4517-ac00-a27a0f38573f"-Tags WindowsAzureActiveDirectoryCustomSingleSignOnApplication

Please refer to the below Screenshot from my test tenant where after running the above PowerShell command, I can see this application Microsoft Intune Company Portal for Linux under CA policy exclusion list.

Please let me know if you have any other queries. I am looking forward to your response.

Niederauer,Till (IT INF) BIG-DE-I 25

Thank you again. Now I am able to select Microsoft Intune Company Portal for Linux Service Principal but it is not recognized and gets blocked by CA.

I tried now the things listed below to exclude the app:

using filters
exclude the service principal

Any idea why this fails? how I can allow the login Microsoft Intune Company Portal for Linux to login while enforcing CA?

My current CA rule looks like this:

{
    "conditions": {
        "applications": {
            "includeApplications": [
                "All"
            ],
            "excludeApplications": [
                "b743a22d-6705-4147-8670-d92fa515ee2b"
            ],
            "includeUserActions": [],
            "includeAuthenticationContextClassReferences": [],
            "applicationFilter": null,
            "globalSecureAccess": null
        },
        "clients": null,
        "users": {
            "includeUsers": [
                "All"
            ],
            "excludeUsers": [

            ],
            "includeGroups": [],
            "excludeGroups": [
            ],
            "includeRoles": [],
            "excludeRoles": [],
            "includeGuestsOrExternalUsers": null,
            "excludeGuestsOrExternalUsers": null
        },
        "clientApplications": null,
        "platforms": {
            "includePlatforms": [
                "linux"
            ],
            "excludePlatforms": []
        },
        "locations": null,
        "userRiskLevels": [],
        "signInRiskLevels": [],
        "insiderRiskLevels": null,
        "signInRiskDetections": null,
        "clientAppTypes": [
            "all"
        ],
        "times": null,
        "devices": null,
        "servicePrincipalRiskLevels": [],
        "authenticationFlows": null
    },
    "displayName": "CA112 Platform: Linux; App: All; Method: All; Action: Block",
    "grantControls": {
        "operator": "OR",
        "builtInControls": [
            "block"
        ],
        "customAuthenticationFactors": [],
        "termsOfUse": [],
        "authenticationStrength": null
    },
    "sessionControls": null,
    "state": "enabled"
}

User's image

Sanoop M 4,310 Reputation points Moderator

2025-03-10T17:45:55.7933333+00:00

Hello @Niederauer,Till (IT INF) BIG-DE-I,

Thank you for your response.

Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.

We can connect offline and discuss further on this issue.

Accepted answer

1 additional answer

Your answer

Niederauer,Till (IT INF) BIG-DE-I 25 Reputation points

2025-03-07T23:25:26.0633333+00:00

Hey,

thanks again but I now got an additional problem. I assigned a security attribute for Conditional access but I am still getting blocked by CA. Looks like it is not recognized. However I tried to exclude that app from CA but in the GUI I can't find/select it. When I try to add directly via graph API I get this response:

Any ideas how I can exclude this app from default block rule?

{ "error": { "code": "BadRequest", "message": "1034: Policy contains invalid applications: {\"2c788fb4-38d5-4c20-9064-d0e62578ffb2\":\"ServicePrincipalNotFound\"}", "innerError": { "date": "2025-03-07T23:24:30", "request-id": "1bdd22fc-xxxx-xxxx-xxxx-76e772e94053", "client-request-id": "xxxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" } } }
Niederauer,Till (IT INF) BIG-DE-I 25 Reputation points

2025-03-08T10:00:41.1666667+00:00

Thank you again. Now I am able to select Microsoft Intune Company Portal for Linux Service Principal but it is not recognized and gets blocked by CA.

I tried now the things listed below to exclude the app:

using filters

exclude the service principal

Any idea why this fails? how I can allow the login Microsoft Intune Company Portal for Linux to login while enforcing CA?

My current CA rule looks like this:

{ "conditions": { "applications": { "includeApplications": [ "All" ], "excludeApplications": [ "b743a22d-6705-4147-8670-d92fa515ee2b" ], "includeUserActions": [], "includeAuthenticationContextClassReferences": [], "applicationFilter": null, "globalSecureAccess": null }, "clients": null, "users": { "includeUsers": [ "All" ], "excludeUsers": [ ], "includeGroups": [], "excludeGroups": [ ], "includeRoles": [], "excludeRoles": [], "includeGuestsOrExternalUsers": null, "excludeGuestsOrExternalUsers": null }, "clientApplications": null, "platforms": { "includePlatforms": [ "linux" ], "excludePlatforms": [] }, "locations": null, "userRiskLevels": [], "signInRiskLevels": [], "insiderRiskLevels": null, "signInRiskDetections": null, "clientAppTypes": [ "all" ], "times": null, "devices": null, "servicePrincipalRiskLevels": [], "authenticationFlows": null }, "displayName": "CA112 Platform: Linux; App: All; Method: All; Action: Block", "grantControls": { "operator": "OR", "builtInControls": [ "block" ], "customAuthenticationFactors": [], "termsOfUse": [], "authenticationStrength": null }, "sessionControls": null, "state": "enabled" }
Sanoop M 4,310 Reputation points Moderator

2025-03-10T17:45:55.7933333+00:00

Hello @Niederauer,Till (IT INF) BIG-DE-I,

Thank you for your response.

Please send us an email on 'azcommunity@microsoft.com' with Sub - "ATTN: sanoopm" and following details in the email body: Link to this thread/post.

We can connect offline and discuss further on this issue.

Answer 1

Hello @Niederauer,Till (IT INF) BIG-DE-I,

Thank you for posting your query on Microsoft Q&A.

I understand that Microsoft Intune Company Portal for Linux application is visible in one Azure tenant but not visible in another Azure tenant, despite seeing it in the sign-in logs of the second tenant.

Question 1:

How can I make this service principal visible in Tenant B?

Answer:

Please note that if the application named Microsoft Intune Company Portal for Linux is not visible under Enterprise Applications section, then you can create a Service Principal for Microsoft Intune Company Portal for Linux application through PowerShell commands.

Question 2:

Is there a way to register/expose this built-in enterprise app if it's not appearing?

Answer:

Yes you can create a Service Principal for the Microsoft Intune Company Portal for Linux application by following the below steps by running the below PowerShell commands if the application is not visible under Enterprise Applications section in Microsoft Entra ID.

1.Open PowerShell as an Administrator.

2.Run the below PowerShell command.

Install-Module AzureADPreview

3.After installing the AzureADPreview module, please run the below PowerShell command.

Connect-AzureAD

4.It will prompt you to enter your Microsoft Entra ID credentials, please enter your Microsoft Entra ID credentials of the Tenant B where the application named Microsoft Intune Company Portal for Linux is not visible under Enterprise Applications section.

5.It will show you the tenant details with Global admin account UPN, Environment, TenantID, TenantDomain and AccountType.

6.Please run the below PowerShell command to create a Service Principal for the Microsoft Intune Company Portal for Linux application in your Tenant B.

New-AzureADServicePrincipal -DisplayName "Microsoft Intune Company Portal for Linux"

7.It will prompt you to enter the AppId of the application Microsoft Intune Company Portal for Linux as mentioned in the below Screenshot.

User's image

8.Please enter the AppID: b743a22d-6705-4147-8670-d92fa515ee2b.

9.Now the Service Principal for the application named Microsoft Intune Company Portal for Linux will be created under Enterprise Applications section in Tenant B.

10.You can verify it by signing in to the Tenant B and navigate to Microsoft Entra ID ->Enterprise Applications -> Search for Microsoft Intune Company Portal for Linux application.

Please note that I have tested in my test tenant where initially Microsoft Intune Company Portal for Linux application was not visible under Enterprise Applications section and please refer to the below Screenshot where the application Microsoft Intune Company Portal for Linux is visible after creating Service Principal by following the above PowerShell commands

User's image

I hope this above information provided is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Niederauer,Till (IT INF) BIG-DE-I 25 Reputation points

2025-03-07T22:08:18.5266667+00:00

Thank you - that solved my problem!!

Answer 2

thank you so much for your support on this. This was super helpful however Conditional access does not exclude the app. As an alternative solution, we have explored using Privileged Identity Management (PIM). This time-limited approach temporarily excludes users from the Conditional Access policy and works as follows:

Minimum exclusion time is 30 minutes
Users must manually activate this exclusion through the Azure portal
Once activated, the user becomes a member of the CA exclusion group for the duration

Share via

Issue with Microsoft Intune Company Portal for Linux visibility in Enterprise Applications

What I've observed:

What I've tried:

My goal:

Questions:

1 additional answer

Your answer